Basic
What you're here for

How to know a page is authentic

A beginner's guide to PGP signatures

This file was last modified on January 01 1970 00:00:00.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

There are three ways you landed on this page.
  • You clicked the link on the footer of this website or checked the tutorials and saw this
  • You were looking up a tutorial on PGP
  • Someone wants you to learn about PGP encryption and signed messages

Whichever the case, this article will only be an introductory reading so you can get started. You can go in various degrees of depth depending on what you want to do with this, but by the end of this article you'll at least have a generally good understanding of PGP.

What is a PGP signature?

If you've ever been on dread forum and have read some of the high profile posters (for example, the 7 year anniversary message), you may have noticed that there will usually be a tag that says -----BEGIN PGP SIGNED MESSAGE-----. You may also have noticed that this website does the same thing: every article has a title, and then a -----BEGIN PGP SIGNED MESSAGE----- tag, and only then begin.

PGP (Pretty Good Privacy) is an encryption protocol that I personally find particularly useful. It can be used to encrypt a message, making it impossible (or rather, unreasonable within the lifetime of the universe) to know what is being written without the necessary keys, but the keys are irrefutable proof that the person who claims to have written a message is the one who wrote the message. More importantly, though, PGP can be used to sign a message in cleartext.

This website is fragile. It's my first website, and while I have a lot of respect for friday, who hosts it on his server, I know no human is infalliable. I'm also going to end up writing things that may offend people for one reason or another. So if someone decided to hack this website (...please do not do that btw), how would a reader know that they're reading the real deal even if I become impossible to contact? Plus, if someone were to mirror the articles, how could you be sure that the person didn't change anything to fit their goals?

Reading a signature

For the sake of brevity, I am assuming you know how PGP works. I touch on it later, but if you're here just for knowing what to do here you have it.

You'll need:

  • a signed message (Ctrl+A and Ctrl+C this page, for example)
  • the PGP public key of the person that claims to have written the message (like the one in my contacts)
  • a program for decoding PGP keys (depends on your OS, but you can also verify signatures on your browser - I don't reccomend it but you do you)

Simply load the public key (it will become part of your keychain for future decryptions) into your software and feed a file with the message (or Ctrl+V). Congradulations, your computer now knows whether the person who claims to have written your message is the one who wrote your message!

For my website, I try to make it so you can Ctrl+A (to select all the text), Ctrl+C and Ctrl+V any page and get a valid signature. Having that said, pages like the main page that have two or more articles shown at the same time must have each article selected separately. Either way, if a page has no PGP signature, you can be sure I didn't approve it.

That said... doesn't this feel barren? I told you what to do, but you don't know how it works! So let's dedicate the rest of this article to...

Understanding PGP

Basics of encryption

If you didn't want the CIA (or a hacker with a personal agenda against you - sometimes it's hard to know which is worse) to know what you are saying to a friend, you can use codes to obfuscate the message. This is called cryptography - "kryptos" is Greek for "hidden", "graphein" for "writing": the art of hiding your writing.

There have been many ciphers throughout History. Some are just ways of being able to hide a message in plain sight. These are usually substituion ciphers like the pigpen cipher and steganography. If you know these techniques, you won't have trouble decoding the message within. Some others are ways of making a message harder to read by looking like gibberish. That's when we get into real cryptography.

Nowadays we have supercomputers in our pockets. Any of the 26! (that's 26 factorial: 26*25*24*...*2*1) combinations of letters in a message with a substitution cipher can be produced in less than a second, and the real message can be deduced with the help of bayesian probability (the letter "E" is the most common in English texts, so it's not unlikely that it will be the most frequent in a message).

We need more complex algorithms, but we can't just treat them haphazadly. For example, hashing (which is how your passwords are hopefully stored in a database) are very useful to avoid collision between hashes (as in, no two words have the same hash unless they're the same) and are pretty good at making it unguessable what the original word was, but that also means you can't reverse the process to decrypt the word. The Vigenere Cipher is useful at making words unguessable by anyone without the passcode (well, it can be broken now but that's beside the point I'm making), but if the passcode is intercepted the cat is out of the bag.

That is to say that we need to know what we want out of an encryption method before we commit to it.

Objectives of PGP

PGP is useful because it solves four problems:

  1. Only the person that's intended to see the message can read it
  2. Only the person that's supposed to have written it can sign it
  3. Even if every message (including the credentials) is intercepted, these two properties will still have to hold up
  4. Fast

From these properties, we can derive the tools used.

  1. There must be a decryption key only the reader has
  2. There must be an encryption key only the writer has
  3. The decryption keys must ALWAYS be secret
  4. This process must be symmetric

How it works under the hood

The first three properties can be fulfilled with asymmetric encryption. This is when both people have two keys: one public and one private. They send the public key to one another. Messages encrypted with the public key can only be encrypted with the private key and vice-versa, but a public key can never decrypt a message encrypted with that public key. The same goes for the private key.

For example, you want to send me a message. You have my public key, so you encrypt the message with that, and then send me the message. Now it can only be encrypted with my private key, which only I have. Objectives 1 and 3 are guaranteed in this method.

For objective 2, you can sign your message before encryption: encrypt the message with your private key, encrypt the encrypted message with my public key and send me your public key. I can then unencrypt the message with my private key, then unencrypt it again with your public key. This gives us a secure method of communication that people with only my public key and your public key would be unable to read. You may also find that this "signature" method is the only part of PGP that my website actually uses - I don't know the public key of any of my readers, and I do want to keep the message readable for anyone coming in.

However, there is one more problem. If you know about cryptography you will know that this last statement contradicts everything else that's said before. The fourth objective is for it to be fast, but asymmetric encryption has a tendency to be very slow.

Symmetric encryption - when there is a decryption key that is known by both parties - actively goes against point 1 (only the reader has the decryption key), point 2 (only the writer has the encryption key) and point 3 (if they agree on a key and someone else is listening, the attacker knows the decryption keys). With that said, symmetric encryption like AES is very fast and can be incredibly robust if you get over the drawbacks.

The solution you will find is very simple: use a mix of both. Use asymmetric encryption to send the key for symmetric encryption. Also, if every message has a different symmetric encryption, even if one message is broken they still can't get to the next one.

So what actually ends up happening is this:

  1. Choose random number, this will be our AES key
  2. Sign the AES key with your private key
  3. Compress the message so that there is less to encrypt
  4. Encrypt the message using AES with the key chosen in step 1
  5. Send the encrypted message and the encrypted key
The truth is that there is some more complexity to it, but this is the theory of it. If you want to dig deeper, I would advise you study the standard in more depth.

Final considerations

Should you use PGP on your website? I have no idea.

I personally like it because it's proof that I exist and that I did indeed write what I wrote. No one can put words in my mouth, but I am also powerless to deny I wrote anything I sign. That goes for anyone who tries to use this system: you're free from other people's incrimination, but you're a slave to your own.

Also, I noticed that things like alt and title in HTML tags may end up being copied into the clipboard. My solution was to take those out (or only have them in parts outside the article - the placement of some things may start to make more sense now), but the truth is that this all depends on your browser. Because of this, my system may not be 100% foolproof - the signature may be correct for the text I tested, but what your browser reads may not be the same that mine does. If you want alt-text to be there for the sake of accessibility, I would advise you not to use a copy-paste approach to PGP-signing your articles.

I don't advise you to just make your public key available to the public in a download. Like I said earlier, make sure your key is accessible also through a database like openpgp and leave the identifier and e-mail explicit for anyone to be able to use it even if the download file for your key goes down. Plus it's a way to verify that the file download hasn't been compromised.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRwQBNgtLaog/IeOuVJNXnu82UrRwUCZ78tMwAKCRBJNXnu82Ur
R7InAQD+z7neTJH721L/X325t0vaZGgG/qk8MGCN//xpSZkD6AD+KcFN1IvzpAQk
jcoR5H8YblSGN+nHCE6VP8hmKidG0gQ=
=v0bR
-----END PGP SIGNATURE-----


Comments


Name (required):
Website (optional):
Comment:

Your comment cannot be over 1000 characters long. BBcode not supported yet.

chro64 - 10/03/2025 at 11:19:39am
I loved your tutorial

LurkBeforePost 2024-2025
Formerly hosted on aftersleep, currently hosted on nearlyfreespeech
May not work on browsers before 2001 (idk i haven't checked).
Check here to see whether an article was made by me or if it was tampered with!
This website's button! This website's button! Aftersleep.org! Viewable with any browser! In the name of the Father, the Son and the Holy Spirit. I do NOT agree to these terms